1. Home
  2. Categories
  3. Support
  4. Feature Request: Delay packages pulled through connectors if the package is less than x days old

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Feature Request: Delay packages pulled through connectors if the package is less than x days old

  • H

    Is it possible to add a filter which hides packages that are less than x days old in the connector settings? This is specifically packages that are pulled through external package repositories.

    The date could be published date noted in the package.

    From a security point of view, it would be ideal that a package gets a few days or a week, to see if there are bugs or updates during that time period before actually pushing the package into the feed via the connector.

    Why: For instance NPM
    Recently the UA-parser-js was discovered to have malicious code and it took 4 days(?)
    https://snyk.io/vuln/npm:ua-parser-js

    0 dean-houston 1 Reply
  • dean-houston
    inedo-engineer

    @harald-somnes-hanssen_2204 unfortunately not; a feed index provides details about only the latest version of a package. You need a separate query to find details about all versions of a package, and then would need to do that query for each package in an index

    Instead, it's better to just have a feed of approved packages that developers could use. This will let you also filter for other problems like quality.

    We recently published some advice about, but it's for nuget feeds. https://blog.inedo.com/nuget/package-approval-workflow

    It would work the same way for npm though

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation